By Jay Hancock, Kaiser Health News
Houston workers who checked the fine print said they weren’t sure whether they were joining an employee wellness program or a marketing scheme.
Last fall the city of Houston required employees to tell an online wellness company about their disease history, drug and seat-belt use, blood pressure and other delicate information.
The company, hired to improve worker health and lower medical costs, could pass the data to “third party vendors acting on our behalf,” according to an authorization form. The information might be posted in areas “that are reviewable to the public.” It might also be “subject to re-disclosure” and “no longer protected by privacy law.”
Employees could refuse to give permission or opt not to take the screen, called a health risk assessment — but only if they paid an extra $300 a year for medical coverage.
“We don’t mind giving our information to our health care providers,” said Ray Hunt, president of the Houston Police Officers’ Union, which objected so strongly along with other employees that the city switched to a different program. “But we don’t want to give it to a vendor that has carte blanche to give that information to anybody they want to.”
Millions pressured to give up wellness information
Millions of people find themselves in the same position as that of the Houston cops. As more employers grasp wellness as the latest promised solution to soaring health costs, they’re pressuring workers to give unfamiliar companies detailed data about the most sensitive parts of their lives.
But whether or not that information stays private is anything but clear, an examination by Kaiser Health News shows.
In many workplace wellness programs, “it seems by taking the health risk assessment you are waiving your privacy rights,” said Jennifer Mathis, director of programs at the Bazelon Center for Mental Health Law.
At worst, shared information about sensitive conditions could support discrimination by employers, banks, life insurance companies and others. Wellness data is already escaping into what one expert calls “the great American marketing machine” that pitches products according to your diseases and lifestyles, privacy scholars say.
Wellness vendors charge employers a per-person fee to assess workers’ health and motivate them to exercise, eat well, see doctors and take pills. Companies push workers to participate with gift cards, insurance discounts and other rewards or penalties.
“Profound” privacy issues in the wellness industry
As employers flock to the wellness parade, corporate wellness vendors make up what research firm IBISWorld predicts will be a $12 billion industry by 2020 — six times its estimated size in 2011.
Privacy advocates see a void of regulation or even voluntary standards to ensure the information is used as intended. By all accounts the amount of worker wellness data being collected — through the Web, company surveys, wearable devices, gym records and lab tests — is exploding.
“The privacy issues are profound,” said Pam Dixon, executive director of the World Privacy Forum, an advocacy group. “If people are being asked to wear a biometric electronic device, or use a mobile app or work within a wellness program, that data can be used in ways that may be very, very surprising to people.”
Numerous wellness vendors say flatly that privacy is critical to their reputation and that they don’t share information on individual workers with employers, data brokers or marketing companies.
Digging into the fine print
But as the Houston employees found out, the fine print isn’t so plain or reassuring.
- Few workers know that wellness contractors are often unbound by the strict privacy law, known as the Health Insurance Portability and Accountability Act (HIPAA), that restricts doctors and hospitals.
- A review of privacy policies shows that many wellness vendors adopt policies allowing them to share identifiable data with unidentified “third parties” and “agents” working to improve employee health.
- Wellness companies and their contractors routinely share almost completely unregulated “de-identified” data showing group heath results with employers, researchers and others. Scientists have shown such information can be “re-identified” and used for marketing, potential credit screening and other purposes.
Wellness vendor Audax Health, whose work with Houston resulted in “an overwhelming number of employees who were uncomfortable with the privacy statement,” according to a city statement to employees, said it keeps information strictly confidential. Audax’s online portal for employees is called Zensey.
Article Continues Below
Explore the Role of Incentives in Performance Management
“We do not sell or resell personal health information to anyone,” including marketing companies and data brokers, David Sclar, Audax’s chief privacy officer, said through a spokesman. “We do not allow third parties to market to Zensey users.”
From wellness to marketing opportunities
But Audax’s own fine print contradicts the second part of his statement, saying the vendor may direct marketing pitches from third parties to wellness members based on “attributes” it collects from those employees. Audax is majority-owned by insurer UnitedHealth Group.
Other big wellness vendors, including venture-capital backed Welltok, include similar language in their disclosures. Under the heading, “Information Collected by Third Parties,” Welltok says its CaféWell portal might “target advertisements to you based on products and services you may be interested in.”
Jeff Cohen, Welltok’s co-founder, expressed surprise at the statement.
“That goes against everything we represent — probably one of those where a lawyer told us to put it in there,” he said in an interview. “I’m going to go back and talk to our compliance person” about the language, he said.
Cohen said Welltok doesn’t “use and sell and share the data from our platform about users to third parties.”
But as of Sept. 25, the disclosure language was unchanged. And that’s what matters legally, privacy lawyers said.
Pushing workers to participate
Primary wellness vendors such as Audax and Welltok aren’t the only ones collecting employee health data. Wearable device makers, test labs, gym chains, data centers, workout-app publishers are also part of the gold rush.
As frequent partners of employers and wellness providers, each of those companies also gathers worker information of varying sensitivity — often with employers pushing workers to participate — in what amounts to a widening wellness data web.
This article was reprinted from kaiserhealthnews.org with permission from the Henry J. Kaiser Family Foundation. Kaiser Health News, an editorially independent news service, is a program of the Kaiser Family Foundation, a nonpartisan health care policy research organization unaffiliated with Kaiser Permanente.